CloudGuard Dome9 Help
Configure SSO using SAML from Google GSuite
- In G Suite Admin console, navigate to SAML apps.
Click +,to add a new service.
Click SETUP MY OWN CUSTOM APP.
- Download the Certificate. We will use it in a later step.
- Keep the Google Admin Console open on this page.
- In a new tab, open the Dome9 console and navigate to: Administration -> Account Settings -> SSO.
- Click Enable.
On the Dome9 SSO Configuration page set the following:
Account ID – This can be any text you want.
Issuer – Copy the “Entity ID” field from Step 2 of the G Suite page and paste it here.
Idp Endpoint URL - Copy the “SSO URL” field from Step 2 of the G Suite page and paste it here.
X.509 certificate - Using a text editor, open the certificate file you downloaded earlier and copy the full contents. Paste it in this field.
Just-in-time provisioning for the account – This option allows for Dome9 users to be created and deleted when a G Suite user is created or deleted.
Click Save. The page will refresh and you should now see:
- Switch back to G Suite Console and click Next.
- Fill in the details as you like. These are details that users will see.
Click Next. Fill in the following fields.
ACS URL – Copy this URL from the “Login Page” field of the Dome9 SSO configuration. Add: /saml after the /sso (the full URL should look like this:
Entity ID - This is always https://secure.dome9.com/
Name ID Format – Change to “EMAIL”.
- Continue to click Next until you are back at the SAML apps page.
- Click on the newly created Dome9 SAML app.
- Click Edit Service.
- Choose to turn ON/OFF for your organization (or specific groups).
- Switch back to Dome9 Console and navigate to: Administration -> Users
- Using the Actions menu next to a username, choose Connect to SSO to enable the user to login using SSO.
- When SSO is enabled, creating new users will enable SSO by default for the user.
- Connecting a user to SSO will disable the normal login method for that user.
- When disconnecting SSO from a user, the user will need to re-enable MFA in Dome9 console. (If MFA was originally used)